Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
139 item(s) found so far for this keyword.
CloseHandle, NtClose Anti-Debugging
When a process is debugged, calling NtClose
or CloseHandle
with an invalid handle will generate a STATUS_INVALID_HANDLE
exception.
The exception can be cached by an exception handler. If the control is passed to the exception handler, it indicates that a debugger is present.
Detecting Running Process: EnumProcess API Sandbox Evasion Anti-Debugging Anti-Monitoring
Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the EnumProcess
function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.
By detecting these processes and …
API Obfuscation Anti-Disassembly
API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …
SuspendThread Anti-Debugging
Suspending threads is a technique used by malware to disable user-mode debuggers and make it more difficult for security analysts to reverse engineer and analyze the code. This can be achieved by using the SuspendThread
function from the kernel32.dll library or the NtSuspendThread
function from the NTDLL.DLL library.
The malware can enumerate the threads of a given process, or search …
DNS API Injection Process Manipulating
DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code …
Debug Registers, Hardware Breakpoints Anti-Debugging
Registers DR0 through DR3 contain the linear address associated with one of the four hardware breakpoint conditions. For anti-debugging, malware will check the contents of the first four debug registers to see if the hardware breakpoint has been set.
LocalSize(0) Anti-Debugging
The function LocalSize
retrieves the current size of the specified local memory object, in bytes. By setting the hMem
parameters with 0 will trigger an exception in a debugger that can be used as an anti-debugging mechanism.
Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]
Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.
On the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual …
AddVectoredExceptionHandler Anti-Debugging
The AddVectoredExceptionHandler
technique is an anti-debugging method that can detect the presence of debuggers using Vectored Exception Handlers. This technique works by calling AddVectoredExceptionHandler(1, ourHandler)
to register a top-level exception handler that will catch any exceptions raised by the process, including those generated by debuggers.
After this call has taken place, stepping through the code will trigger an EXCEPTION_SINGLE_STEP
exception, …